Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.os.windows-10 > #182546

Re: Dealing with Windows Security's "Ransomware protection"

From Paul <nospam@needed.invalid>
Newsgroups alt.comp.os.windows-10
Subject Re: Dealing with Windows Security's "Ransomware protection"
Date 2025-02-25 13:35 -0500
Organization A noiseless patient Spider
Message-ID <vpl2ic$24lmg$1@dont-email.me> (permalink)
References <vpkfnq$1vpet$2@dont-email.me> <vpklel.l4s.1@ID-201911.user.individual.net> <vpkn9e$21ock$1@dont-email.me>

Show all headers | View raw

On Tue, 2/25/2025 10:23 AM, Ed Cryer wrote:
> Frank Slootweg wrote:
>> John C. <r9jmg0@yahoo.com> wrote:
>>> Windows Security's "Ransomware protection" is about as much of a PITA as
>>> User Account Control.
>> [...]
>>> What do YOU think about Ransomware protection?
>>
>>    Not much. On my Windows 11 system, 'Controlled folder access' is *off*
>> and I don't think I turned it off, so I assume 'off' is the default.
>>
>>    I also checked on my wife's Windows 10 system and 'Controlled folder
>> access' is off on that system as well. So the default *is* 'off',
>> because I would never lessen security on that system.
> 
> It's off in my Win10 as well; default setting.
> I wonder how it actually functions to detect ransomware?
> 
> My own protection is a well-kept backup image.
> 
> Ed

Ransomware attack vectors and methods:

Originally, naively named executables, blockable by AppLocker.

Most common attack vector today, is targeted phishing (hospitals, town governments).

Used to have a "service model". The infected punter was given an email
address, to converse with. Talk the service agent "down from three
Bitcoins to two Bitcoins". (That tells you this happened quite a long
time ago -- Bitcoins were at a low of $3 each at one time.) The service
agent would send you your key, you would decrypt your files.

The Black Hats found this model too expensive. It took a lot of service
agents. The service agent took a cut, and so on.

Information on the latest (personalized) threats is slim.

Likely to be via phishing (clicking the GoDaddy attachment concerning domain renewal).

Ransomware hides stealthily for one month. It no longer attacks immediately.
It seeks to understand what defenses you have (such as backup drives).

Attack can be file-by-file, but that is old fashioned. Each file has
an extension added to the end of it, indicating it has been attacked.
The .xls and .doc are attacked first, as OS files are worthless.

    taxes.xls.osirus      myproposal.doc.osirus

A second attack mechanism, is to change the FDE key and cause
the drive to instantly wink out. The part that I don't understand,
is why would the previous FDE key be readable ? Making it readable,
encourages this sort of attack.

*******

The proposed defense mechanisms don't appear to address all the
attack methods. Some will be hidden to us (such as Windows Defender
being "curious" about any agent approaching an FDE key). They tell us
that root kits are not all that common any more, but who knows whether
they go as a one-two punch for Ransomware.

Maybe a safer backup, is to manually boot a Macrium CD and make
a full to the external drive. Then shut down and disconnect the external
until next time.

What possibilities exist, for attack via UEFI ?

   Paul

Back to alt.comp.os.windows-10 | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-25 05:14 -0800
  Re: Dealing with Windows Security's "Ransomware protection" Frank Slootweg <this@ddress.is.invalid> - 2025-02-25 13:52 +0000
    Re: Dealing with Windows Security's "Ransomware protection" Ed Cryer <ed@somewhere.in.the.uk> - 2025-02-25 15:23 +0000
      Re: Dealing with Windows Security's "Ransomware protection" Paul <nospam@needed.invalid> - 2025-02-25 13:35 -0500
        Re: Dealing with Windows Security's "Ransomware protection" Ed Cryer <ed@somewhere.in.the.uk> - 2025-02-25 19:02 +0000
          Re: Dealing with Windows Security's "Ransomware protection" Paul <nospam@needed.invalid> - 2025-02-25 16:09 -0500
      Re: Dealing with Windows Security's "Ransomware protection" ant@zimage.comANT (Ant) - 2025-02-25 21:27 +0000
  Re: Dealing with Windows Security's "Ransomware protection" VanguardLH <V@nguard.LH> - 2025-02-25 10:08 -0600
    Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-27 06:32 -0800
      Re: Dealing with Windows Security's "Ransomware protection" wasbit <wasbit@nowhere.com> - 2025-02-28 09:37 +0000
  Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-25 11:37 -0500
    Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-27 06:35 -0800
      Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-27 10:20 -0500
        Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-27 07:31 -0800
          Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-27 12:11 -0500
            Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-28 05:17 -0800
              Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-28 11:21 -0500
                Re: Dealing with Windows Security's "Ransomware protection" "Allan Higdon" <allanh@vivaldi.net> - 2025-02-28 15:39 -0600
                Re: Dealing with Windows Security's "Ransomware protection" Newyana2 <newyana@invalid.nospam> - 2025-02-28 22:29 -0500
                Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-03-02 05:59 -0800
                Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-03-02 05:55 -0800
              Re: Dealing with Windows Security's "Ransomware protection" VanguardLH <V@nguard.LH> - 2025-02-28 11:55 -0600
                Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-03-02 06:03 -0800
                Re: Dealing with Windows Security's "Ransomware protection" ant@zimage.comANT (Ant) - 2025-03-03 00:46 +0000
                Re: Dealing with Windows Security's "Ransomware protection" Hank Rogers <Hank@nospam.invalid> - 2025-03-02 19:19 -0600
        Re: Dealing with Windows Security's "Ransomware protection" Frank Slootweg <this@ddress.is.invalid> - 2025-02-27 16:12 +0000
      Re: Dealing with Windows Security's "Ransomware protection" VanguardLH <V@nguard.LH> - 2025-02-27 14:03 -0600
  Re: Dealing with Windows Security's "Ransomware protection" ...w¡ñ§±¤ñ  <winstonmvp@gmail.com> - 2025-02-25 11:57 -0700
    Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-02-27 06:38 -0800
      Re: Dealing with Windows Security's "Ransomware protection" ...w¡ñ§±¤ñ  <winstonmvp@gmail.com> - 2025-02-28 10:56 -0700
        Re: Dealing with Windows Security's "Ransomware protection" "John C." <r9jmg0@yahoo.com> - 2025-03-02 06:05 -0800

csiph-web